Part 3 in this series covers best practices for configuring BitLocker for Active Directory through Group Policy.

The last thing you’ll need to do before encrypting your next drive is to configure Group Policy. I copied the essential Microsoft’s Best Practices settings and added my own experiences at the end of the article. In a new or existing Group Policy Object, navigate to Computer Configuration, Policies, Administrative Templates, Windows Components, BitLocker Drive Encryption, and set the following:

Top Level / Global

  • Choose drive encryption method and cipher strength – Set to not configured.
  • Prevent memory overwrite on restart – Set to not configured.
  • Provide the unique identifiers for your organization - Set to enabled, and enter an identifier in the BitLocker identification field.

Operating system drives

  • Choose how BitLocker-protected operating system drives can be recovered - Set to enabled, save BitLocker recovery information to Active Directory Domain Services (AD DS) for operating system drives, store recovery passwords and key packages, do not enable BitLocker until recovery information is stored to AD DS for operating system drives, and omit recovery options from the BitLocker setup wizard.
  • Configure minimum PIN length for startup - Set to enabled, and require a personal identification number (PIN) of at least seven numerals.
  • Require additional authentication at startup - Set to enabled, and require the use of a startup PIN with a Trusted Platform Module (TPM).

Fixed data drives

  • Choose how BitLocker-protected fixed drives can be recovered - Set to enabled, save BitLocker recovery information to AD DS for fixed data drives, store recovery passwords and key packages, do not enable BitLocker until recovery information is stored to AD DS for fixed data drives, and omit recovery options from the BitLocker setup wizard.
  • Configure use of passwords for fixed data drives - If your organization does not have a public key infrastructure (PKI), set to enabled, require password complexity, and set a minimum password length of at least 12 characters.
  • Configure use of smart cards on fixed data drives - If your organization has a PKI, set to enabled, and require the use of smart cards with fixed data drives.

Removable data drives

  • Choose how BitLocker-protected removable drives can be recovered - Set to enabled, save BitLocker recovery information to AD DS for removable data drives, store recovery passwords and key packages, do not enable BitLocker until recovery information is stored to AD DS for fixed data drives, and omit recovery options from the BitLocker setup wizard.
  • Configure use of passwords for removable data drives - Set to enabled, set a >minimum password length of at least 12 characters, and require password complexity if your organization does not have a PKI or if there is a need to access BitLocker-protected drives from computers running Windows XP or Windows Vista.
  • Configure use of smart cards on removable data drives - Set to enabled, and require the use of smart cards with removable data drives if your organization has a PKI.
  • Control use of BitLocker on removable drives - Set to enabled, and allow users to apply BitLocker protection on removable drives.
  • Deny write access to removable data drives not protected by BitLocker - Set to enabled, and disallow write access to devices configured in another organization. NOTE: This policy cannot be enabled if your organization uses recovery keys or startup keys. Recovery keys and startup keys must be stored on unencrypted USB drives.

There are a few things you’ll need to note when configuring these settings in Group Policy for your Active Directory. First off, notice the underlined PIN/password lengths above. These are the Best Practice recommendations from Microsoft, not necessarily the best settings for your organization. It may take you some testing or trial and error to find what works best for your organization’s security requirements and what will work best for your user base. That said, my experience has been that these settings are very reasonable and work well for the average end user. You’ll want to pay close attention to minimum PIN length for operating system drives; it doesn’t make much sense to encrypt the OS and then set a short PIN that can easily be guessed.

Second, make sure you get the “Require additional authentication at startup” setting correct under “Operating system drives.” Make sure that “Allow BitLocker without a compatible TPM” is unchecked and that you’re not requiring more than one startup option. This is how it should look:

Bitlocker Active Directory - Correct Settings for OS Drive Startup

Correct Settings for OS Drive Startup

Do you want to back up the TPM owner information? If so, you’ll need to go to Computer Configuration, Policies, Administrative Templates, System, Trusted Platform Module Services, and set “Turn on TPM backup to Active Directory Domain Services” to Enabled. Make sure the “Require TPM backup to AD DS” is checked.

Bitlocker Active Directory - Backup TPM Owner Info

Backup TPM Owner Info

What are the typical power settings on your laptops? If you want to make your BitLocker-encrypted devices as secure as possible, you’ll need to disable Sleep mode. If a BitLocker-encrypted device is allowed to enter Sleep mode, an attacker would have console access to the machine to attack it bypassing the BitLocker PIN entry screen. Go to Computer Configuration, Administrative Templates, System, Power Management, Sleep Settings.

  • Sleep Settings
    • Allow Standby States (S1-S3) When Sleeping (Plugged In) – Disabled
    • Allow Standby States (S1-S3) When Sleeping (On Battery) - Disabled

Bitlocker Active Directory -Disable Standby States

Disable Standby States

5 Comments
  1. HuffLZW 10 years ago

    Do you know if there is a way to replace TPM authentication with storing information in AD?
    I am looking into a way to prevent machine from booting at all if it’s not on a correct network. Before any comments of network outage preventing users from booting – users in this situation are relying on network availability and should not use a machine if it’s not networked (business location requirement).

    Best Regards

  2. Kyle Beckman 10 years ago

    If you can use Windows 8, the Network Unlock feature sounds like what you’re looking for. In the event the computer wasn’t on the proper network, the user would be prompted for the PIN (that they wouldn’t have) to boot the computer.

  3. Shanif 7 years ago

    We are planning to implement BitLocker in our company. Your article is my tutorial. In my company most of the laptops does not have TPM. In that case, is there anything i should follow which might not mentioned in this article?

  4. Maz 6 years ago

    dears i wana ask how to force the users to turn on bitlocker without helpdesk team 

  5. Stuart Luscombe 6 years ago

    This guide overall was extremely helpful in getting things set up, although a few of the options have changed.

    The Schema extensions and VBS files download no longer works, but all information can be gained by going to https://technet.microsoft.com/en-us/library/dn466534(v=ws.11).aspx.

    Also, as of Windows 10 1607 it is no longer possible to enable the GPO option “Turn on TPM backup to Active Directory Domain Services” – https://docs.microsoft.com/en-gb/windows/device-security/tpm/change-the-tpm-owner-password

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account